Global survey reveals third-party risk programs struggling to keep up with regulatory expectation
SAN FRANCISCO, June 25, 2018 /PRNewswire-iReach/ -- A new global benchmarking survey reveals that despite growing regulatory expectations about how companies manage the risks posed by their relationships with third parties, most companies are still struggling to achieve some of the most basic requirements.
Aravo Solutions and the Center for Financial Professionals (CeFPro) launched the results of the survey at two international events in New York and London this month, where they were discussed by leading practitioners across the financial services industry. The report, published today, is available at: http://info.aravo.com/cefpro-third-party-risk-survey
The survey revealed that most third-party risk management programs are in the early stages of maturity and are struggling to keep pace with the widening scope of regulatory expectation. In particular, increased regulatory focus on cyber-risk, concentration risk, and fourth parties, is not matched by most organizations' ability to manage these emerging risks.
Kimberley Allan, CMO, Aravo Solutions said: "The results show that third-party risk management teams recognize that they face significant program implementation challenges, and that they worry about their ability to keep up with the velocity of change and expanding regulatory expectation, at the same time as they lay the foundations of their programs."
Andreas Simou, Director, Center for Financial Professionals said: "This detailed benchmarking survey provides insight into the practical reality and challenges facing third-party risk teams in this rapidly evolving discipline. The findings will help firms develop their road-map to maturity, and help with planning, resourcing and direction."
Key survey results include:
Maturity
Most organizations are at a relatively early stage of their program maturity – 67% of respondents report their programs were developing, defined, or in the initial stages of maturity. Just 5% reported that their programs were optimized, with the remaining 28% stating that their programs were established. Many organizations lack dedicated resources or have only small teams, for what is becoming an increasingly complex, dynamic, and scrutinized function.
Managing and maintaining a full inventory of third parties
Regulators expect firms to have a complete inventory of their third-party relationships. Yet, what is seemingly the most basic of expectations – knowing who all your third parties are - can be a challenge. The survey found that 6% did not know how many third parties they had, and that 75% did not have all their third parties in a single inventory. Incomplete and multiple inventories make reporting on third parties difficult, with the majority (72%) of respondents indicating they would be unable to produce a complete report of all their third parties quickly.
Due diligence
There is an expectation that banks should conduct due diligence on all potential third parties before selecting and entering into contracts or relationships, and that they perform ongoing monitoring once the contract is in place. The survey found that 73% of respondents had not conducted initial due diligence on all their third parties, with 32% having conducted initial due diligence on fewer than half of their third parties. Only 17% are conducting ongoing due diligence on all their third parties. 4% are not conducting ongoing due diligence at all.
Concentration risk
A growing concern among regulators is that consolidation among larger service providers has increased third-party concentration risk, in which a limited number of providers service large segments of the banking industry for certain products and services. Despite this being an area of increased focus for regulators, the majority (69%) of respondents stated that their programs are not managing for concentration risk.
Fourth-party risk
There's an expectation that organizations will know which of their third parties use subcontractors and that the same levels of controls for risk management are applied through the extended supply chain. The survey found that 20% of participants do not require third parties to disclose sub-contractors, 17% do not have controls in place for how third parties manage subcontractors, and 46% do not conduct due diligence on critical fourth-parties.
Cyber-risk, information security, and data protection
The survey found that 86% of respondents are managing for cyber-risk and information security risk in their programs, and 79% are managing for data privacy risk. Yet, only 27% would be able to produce a report of their third parties with cyber-risk exposure quickly and easily (11% would find this impossible).
In addition to these areas of exposure, the survey found that there was a clear need for better reporting, with the majority of respondents unable to produce standard third-party risk reports completely and quickly. Contributing to this challenge was the lack of a single inventory, the use of disparate systems across organizations, lack of system integration, and technology limitations.
An infographic detailing some of the survey's key findings, incuding salary, budget and program benchmarking information, can be found at: http://info.aravo.com/cefpro-third-party-risk-survey-infographic
About the survey
The research for this survey was conducted during March and April 2018 and was constructed by Aravo Solutions and distributed online by the Center for Financial Professionals. The survey had 211 responses from third-party risk management professionals around the globe. While a broad range of industries were represented, 79% of responses were from the financial services industry.
About the Center for Financial Professionals (CeFPro)
The Center for Financial Professionals (CeFPro) is an international research organization and the focal point for financial risk professionals to advance through renowned thought-leadership, unparalleled networking, industry solutions and lead generation. CeFPro is driven by and dedicated to high quality and reliable primary market research; helping us provide our audience with invaluable peer-to-peer conferences such as our flagship Risk EMEA and Risk Americas series.
CeFPro also boasts knowledge sharing platforms, such as: Risk Webinars, Research Reports, and Risk Insights. Risk Insights are written by the industry for the industry and now covers online articles, a quarterly Risk Insights Magazine, and Risk Insights TV. Learn more at http://www.cefpro.com and http://www.risk-insights.com
About Aravo
Aravo Solutions delivers market-leading cloud-based solutions for managing third-party governance, risk, and performance. We help companies protect their business value and reputation by managing the risks associated with third parties and suppliers, and to build business value by ensuring that their third-party relationships are optimized.
Media Contact: PR Team, Aravo Solutions, 4158357600, [email protected]
News distributed by PR Newswire iReach: https://ireach.prnewswire.com
SOURCE Aravo Solutions
iReach LastName, iReachCompany, 111-222-3333, [email protected]
Share this article